gpg --refresh with large keyrings and hkps in 2.1.1
Ben McGinnes
ben at adversary.org
Tue Apr 21 03:19:24 CEST 2015
On 20/04/2015 7:17 pm, Guilhem Moulin wrote:
> On Thu, 16 Apr 2015 at 08:49:50 +1000, Ben McGinnes wrote:
>> On 16/04/2015 7:17 am, Daniel Kahn Gillmor wrote:
>>> Tor circuits to a particular endpoint are likely to be stable over the
>>> period of time it would take to fetch the whole keyring.
>>
>> In a country with a decent Internet connection, sure. Over here in
>> Australia, however, you can be pretty sure that you'll hit the ten
>> minute window more than once.
>
> Doesn't gpg use a single connection for the whole --refresh-keys? AFIK
> the 10min windows (‘MaxCircuitDirtiness’ in the torrc) is only relevant
> for new connections; I doubt tor client kills existing TCP connections
> when updating circuits.
Hmm, that's a good point, it means the only guaranteed way around that
is one of the lesser used current work arounds (a python script using
requests and python-gnupg to get the keylist and grab keys
sequentially).
> To force a circuit update each 10min, you could refresh your keyring one
> key at a time. Or use a tool like parcimonie [0], or simply use the
> gnupg-curl module with a different SOCKS5 username/password for each key
> (assuming the ‘IsolateSOCKSAuth’ flag is set in your torrc, which is the
> default):
The requests method above definitely works, with the tor socks
settings being used like any proxy parameter is with requests.
> gpg --http-proxy=socks5h://$FPR:$RANDOM@127.0.0.1:9050 --recv-key $FPR
>
> Unfortunately this is broken with 2.1, because dirmngr currently doesn't
> honor --http-proxy (Issue1786).
Which means I could presumably adapt my proxychains rule to that
method in the mean time. I doubt there is much point, though, I
expect a number of these network related issues will be fixed before I
desperately need a full key refresh. Still, these bits are useful and
duly filed away for the future, cheers. :)
Hopefully one of the top ones on Werner's list is the TLS connections,
as that is almost certainly more important than an edge case like tor.
Regards,
Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150421/f58e6eda/attachment.sig>
More information about the Gnupg-devel
mailing list